2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_reass.h>
31 #include <nat/nat_inlines.h>
33 #define foreach_nat_out2in_ed_error \
34 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
35 _(OUT2IN_PACKETS, "Good out2in packets processed") \
36 _(OUT_OF_PORTS, "Out of ports") \
37 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
38 _(NO_TRANSLATION, "No translation") \
39 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
40 _(DROP_FRAGMENT, "Drop fragment") \
41 _(MAX_REASS, "Maximum reassemblies exceeded") \
42 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
46 #define _(sym,str) NAT_OUT2IN_ED_ERROR_##sym,
47 foreach_nat_out2in_ed_error
49 NAT_OUT2IN_ED_N_ERROR,
50 } nat_out2in_ed_error_t;
52 static char *nat_out2in_ed_error_strings[] = {
53 #define _(sym,string) string,
54 foreach_nat_out2in_ed_error
60 NAT44_ED_OUT2IN_NEXT_DROP,
61 NAT44_ED_OUT2IN_NEXT_LOOKUP,
62 NAT44_ED_OUT2IN_NEXT_ICMP_ERROR,
63 NAT44_ED_OUT2IN_NEXT_IN2OUT,
64 NAT44_ED_OUT2IN_NEXT_SLOW_PATH,
65 NAT44_ED_OUT2IN_NEXT_REASS,
66 NAT44_ED_OUT2IN_N_NEXT,
67 } nat44_ed_out2in_next_t;
75 } nat44_ed_out2in_trace_t;
77 vlib_node_registration_t nat44_ed_out2in_node;
78 vlib_node_registration_t nat44_ed_out2in_slowpath_node;
79 vlib_node_registration_t nat44_ed_out2in_reass_node;
82 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
84 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
85 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
86 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
90 t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" :
91 "NAT44_OUT2IN_ED_FAST_PATH";
93 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
94 t->sw_if_index, t->next_index, t->session_index);
100 icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
101 ip4_header_t * ip0, icmp46_header_t * icmp0,
102 u32 sw_if_index0, u32 rx_fib_index0,
103 vlib_node_runtime_t * node, u32 next0, f64 now,
104 u32 thread_index, snat_session_t ** p_s0)
106 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
107 next0, thread_index, p_s0, 0);
108 snat_session_t *s0 = *p_s0;
109 if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP && s0))
112 nat44_session_update_counters (s0, now,
113 vlib_buffer_length_in_chain
114 (sm->vlib_main, b0));
120 nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
122 snat_main_t *sm = &snat_main;
123 nat44_is_idle_session_ctx_t *ctx = arg;
125 u64 sess_timeout_time;
126 nat_ed_ses_key_t ed_key;
127 clib_bihash_kv_16_8_t ed_kv;
130 snat_session_key_t key;
131 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
134 s = pool_elt_at_index (tsm->sessions, kv->value);
135 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
136 if (ctx->now >= sess_timeout_time)
138 ed_key.l_addr = s->in2out.addr;
139 ed_key.r_addr = s->ext_host_addr;
140 ed_key.fib_index = s->in2out.fib_index;
141 if (snat_is_unk_proto_session (s))
143 ed_key.proto = s->in2out.port;
149 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
150 ed_key.l_port = s->in2out.port;
151 ed_key.r_port = s->ext_host_port;
153 if (is_twice_nat_session (s))
155 ed_key.r_addr = s->ext_host_nat_addr;
156 ed_key.r_port = s->ext_host_nat_port;
158 ed_kv.key[0] = ed_key.as_u64[0];
159 ed_kv.key[1] = ed_key.as_u64[1];
160 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
161 nat_log_warn ("in2out_ed key del failed");
163 if (snat_is_unk_proto_session (s))
166 snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32,
167 s->out2in.addr.as_u32,
171 s->in2out.fib_index);
173 if (is_twice_nat_session (s))
175 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
177 key.protocol = s->in2out.protocol;
178 key.port = s->ext_host_nat_port;
179 a = sm->twice_nat_addresses + i;
180 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
182 snat_free_outside_address_and_port (sm->twice_nat_addresses,
190 if (snat_is_session_static (s))
193 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
196 nat44_delete_session (sm, s, ctx->thread_index);
203 static snat_session_t *
204 create_session_for_static_mapping_ed (snat_main_t * sm,
206 snat_session_key_t l_key,
207 snat_session_key_t e_key,
208 vlib_node_runtime_t * node,
210 twice_nat_type_t twice_nat,
211 lb_nat_type_t lb_nat, f64 now)
217 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
218 clib_bihash_kv_16_8_t kv;
219 snat_session_key_t eh_key;
220 nat44_is_idle_session_ctx_t ctx;
222 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
224 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
225 nat_log_notice ("maximum sessions exceeded");
229 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index);
232 nat_log_warn ("create NAT user failed");
236 s = nat_ed_session_alloc (sm, u, thread_index, now);
239 nat44_delete_user_with_no_session (sm, u, thread_index);
240 nat_log_warn ("create NAT session failed");
244 ip = vlib_buffer_get_current (b);
245 udp = ip4_next_header (ip);
247 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
248 s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port;
249 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
251 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
252 if (lb_nat == AFFINITY_LB_NAT)
253 s->flags |= SNAT_SESSION_FLAG_AFFINITY;
254 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
257 s->in2out.protocol = s->out2in.protocol;
258 user_session_increment (sm, u, 1);
260 /* Add to lookup tables */
261 make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol,
262 e_key.fib_index, e_key.port, s->ext_host_port);
263 kv.value = s - tsm->sessions;
265 ctx.thread_index = thread_index;
266 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv,
267 nat44_o2i_ed_is_idle_session_cb,
269 nat_log_notice ("out2in-ed key add failed");
271 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
272 ip->src_address.as_u32 == l_key.addr.as_u32))
274 eh_key.protocol = e_key.protocol;
275 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
276 thread_index, &eh_key,
278 tsm->snat_thread_index))
280 b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
281 nat44_delete_session (sm, s, thread_index);
282 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
283 nat_log_notice ("out2in-ed key del failed");
286 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
287 s->ext_host_nat_port = eh_key.port;
288 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
289 make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol,
290 l_key.fib_index, l_key.port, s->ext_host_nat_port);
294 make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol,
295 l_key.fib_index, l_key.port, s->ext_host_port);
297 kv.value = s - tsm->sessions;
298 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv,
299 nat44_i2o_ed_is_idle_session_cb,
301 nat_log_notice ("in2out-ed key add failed");
306 static_always_inline int
307 icmp_get_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
309 icmp46_header_t *icmp0;
310 nat_ed_ses_key_t key0;
311 icmp_echo_header_t *echo0, *inner_echo0 = 0;
312 ip4_header_t *inner_ip0;
314 icmp46_header_t *inner_icmp0;
316 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
317 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
319 if (!icmp_is_error_message (icmp0))
321 key0.proto = IP_PROTOCOL_ICMP;
322 key0.l_addr = ip0->dst_address;
323 key0.r_addr = ip0->src_address;
324 key0.l_port = echo0->identifier;
329 inner_ip0 = (ip4_header_t *) (echo0 + 1);
330 l4_header = ip4_next_header (inner_ip0);
331 key0.proto = inner_ip0->protocol;
332 key0.l_addr = inner_ip0->src_address;
333 key0.r_addr = inner_ip0->dst_address;
334 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
336 case SNAT_PROTOCOL_ICMP:
337 inner_icmp0 = (icmp46_header_t *) l4_header;
338 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
339 key0.l_port = inner_echo0->identifier;
342 case SNAT_PROTOCOL_UDP:
343 case SNAT_PROTOCOL_TCP:
344 key0.l_port = ((tcp_udp_header_t *) l4_header)->src_port;
345 key0.r_port = ((tcp_udp_header_t *) l4_header)->dst_port;
356 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port,
357 u16 dst_port, u32 thread_index, u32 rx_fib_index)
359 clib_bihash_kv_16_8_t kv, value;
360 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
362 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto,
363 rx_fib_index, src_port, dst_port);
364 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
371 create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
374 nat_ed_ses_key_t key;
375 clib_bihash_kv_16_8_t kv, value;
378 snat_session_t *s = 0;
379 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
380 f64 now = vlib_time_now (sm->vlib_main);
382 if (ip->protocol == IP_PROTOCOL_ICMP)
384 if (icmp_get_ed_key (ip, &key))
387 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
389 udp = ip4_next_header (ip);
390 key.r_addr = ip->src_address;
391 key.l_addr = ip->dst_address;
392 key.proto = ip->protocol;
393 key.l_port = udp->dst_port;
394 key.r_port = udp->src_port;
398 key.r_addr = ip->src_address;
399 key.l_addr = ip->dst_address;
400 key.proto = ip->protocol;
401 key.l_port = key.r_port = 0;
404 kv.key[0] = key.as_u64[0];
405 kv.key[1] = key.as_u64[1];
407 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
409 s = pool_elt_at_index (tsm->sessions, value.value);
413 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
416 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index,
420 nat_log_warn ("create NAT user failed");
424 s = nat_ed_session_alloc (sm, u, thread_index, now);
427 nat44_delete_user_with_no_session (sm, u, thread_index);
428 nat_log_warn ("create NAT session failed");
432 s->ext_host_addr = key.r_addr;
433 s->ext_host_port = key.r_port;
434 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
435 s->out2in.addr = key.l_addr;
436 s->out2in.port = key.l_port;
437 s->out2in.protocol = ip_proto_to_snat_proto (key.proto);
438 s->out2in.fib_index = 0;
439 s->in2out = s->out2in;
440 user_session_increment (sm, u, 0);
442 kv.value = s - tsm->sessions;
443 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
444 nat_log_notice ("in2out_ed key add failed");
447 if (ip->protocol == IP_PROTOCOL_TCP)
449 tcp_header_t *tcp = ip4_next_header (ip);
450 if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index))
455 nat44_session_update_counters (s, now, 0);
459 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
460 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
461 u8 * p_proto, snat_session_key_t * p_value,
462 u8 * p_dont_translate, void *d, void *e)
464 u32 next = ~0, sw_if_index, rx_fib_index;
465 icmp46_header_t *icmp;
466 nat_ed_ses_key_t key;
467 clib_bihash_kv_16_8_t kv, value;
468 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
469 snat_session_t *s = 0;
470 u8 dont_translate = 0, is_addr_only;
471 snat_session_key_t e_key, l_key;
473 icmp = (icmp46_header_t *) ip4_next_header (ip);
474 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
475 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
477 if (icmp_get_ed_key (ip, &key))
479 b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
480 next = NAT44_ED_OUT2IN_NEXT_DROP;
483 key.fib_index = rx_fib_index;
484 kv.key[0] = key.as_u64[0];
485 kv.key[1] = key.as_u64[1];
487 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
489 /* Try to match static mapping */
490 e_key.addr = ip->dst_address;
491 e_key.port = key.l_port;
492 e_key.protocol = ip_proto_to_snat_proto (key.proto);
493 e_key.fib_index = rx_fib_index;
494 if (snat_static_mapping_match
495 (sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0))
497 if (!sm->forwarding_enabled)
499 /* Don't NAT packet aimed at the intfc address */
500 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index,
501 ip->dst_address.as_u32)))
506 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
507 next = NAT44_ED_OUT2IN_NEXT_DROP;
513 if (next_src_nat (sm, ip, key.proto, key.l_port, key.r_port,
514 thread_index, rx_fib_index))
516 next = NAT44_ED_OUT2IN_NEXT_IN2OUT;
519 create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index);
524 if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
525 (icmp->type != ICMP4_echo_request || !is_addr_only)))
527 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
528 next = NAT44_ED_OUT2IN_NEXT_DROP;
532 /* Create session initiated by host from external network */
533 s = create_session_for_static_mapping_ed (sm, b, l_key, e_key, node,
540 next = NAT44_ED_OUT2IN_NEXT_DROP;
546 if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
547 icmp->type != ICMP4_echo_request &&
548 !icmp_is_error_message (icmp)))
550 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
551 next = NAT44_ED_OUT2IN_NEXT_DROP;
555 s = pool_elt_at_index (tsm->sessions, value.value);
558 *p_proto = ip_proto_to_snat_proto (key.proto);
561 *p_value = s->in2out;
562 *p_dont_translate = dont_translate;
564 *(snat_session_t **) d = s;
568 static snat_session_t *
569 nat44_ed_out2in_unknown_proto (snat_main_t * sm,
575 vlib_main_t * vm, vlib_node_runtime_t * node)
577 clib_bihash_kv_8_8_t kv, value;
578 clib_bihash_kv_16_8_t s_kv, s_value;
579 snat_static_mapping_t *m;
580 u32 old_addr, new_addr;
583 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
586 old_addr = ip->dst_address.as_u32;
588 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
591 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
593 s = pool_elt_at_index (tsm->sessions, s_value.value);
594 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
598 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
600 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
601 nat_log_notice ("maximum sessions exceeded");
605 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
606 if (clib_bihash_search_8_8
607 (&sm->static_mapping_by_external, &kv, &value))
609 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
613 m = pool_elt_at_index (sm->static_mappings, value.value);
615 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
617 u = nat_user_get_or_create (sm, &m->local_addr, m->fib_index,
621 nat_log_warn ("create NAT user failed");
625 /* Create a new session */
626 s = nat_ed_session_alloc (sm, u, thread_index, now);
629 nat44_delete_user_with_no_session (sm, u, thread_index);
630 nat_log_warn ("create NAT session failed");
634 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
635 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
636 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
637 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
638 s->out2in.addr.as_u32 = old_addr;
639 s->out2in.fib_index = rx_fib_index;
640 s->in2out.addr.as_u32 = new_addr;
641 s->in2out.fib_index = m->fib_index;
642 s->in2out.port = s->out2in.port = ip->protocol;
643 user_session_increment (sm, u, 1);
645 /* Add to lookup tables */
646 s_kv.value = s - tsm->sessions;
647 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
648 nat_log_notice ("out2in key add failed");
650 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
652 s_kv.value = s - tsm->sessions;
653 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
654 nat_log_notice ("in2out key add failed");
657 /* Update IP checksum */
659 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
660 ip->checksum = ip_csum_fold (sum);
662 vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
665 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b));
671 nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
672 vlib_node_runtime_t * node,
673 vlib_frame_t * frame, int is_slow_path)
675 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
676 nat44_ed_out2in_next_t next_index;
677 snat_main_t *sm = &snat_main;
678 f64 now = vlib_time_now (vm);
679 u32 thread_index = vm->thread_index;
680 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
682 stats_node_index = is_slow_path ? nat44_ed_out2in_slowpath_node.index :
683 nat44_ed_out2in_node.index;
685 from = vlib_frame_vector_args (frame);
686 n_left_from = frame->n_vectors;
687 next_index = node->cached_next_index;
689 while (n_left_from > 0)
693 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
695 while (n_left_from >= 4 && n_left_to_next >= 2)
698 vlib_buffer_t *b0, *b1;
699 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
701 u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1,
703 u16 old_port0, new_port0, old_port1, new_port1;
704 ip4_header_t *ip0, *ip1;
705 udp_header_t *udp0, *udp1;
706 tcp_header_t *tcp0, *tcp1;
707 icmp46_header_t *icmp0, *icmp1;
708 snat_session_t *s0 = 0, *s1 = 0;
709 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
710 ip_csum_t sum0, sum1;
711 snat_session_key_t e_key0, l_key0, e_key1, l_key1;
712 lb_nat_type_t lb_nat0, lb_nat1;
713 twice_nat_type_t twice_nat0, twice_nat1;
715 /* Prefetch next iteration. */
717 vlib_buffer_t *p2, *p3;
719 p2 = vlib_get_buffer (vm, from[2]);
720 p3 = vlib_get_buffer (vm, from[3]);
722 vlib_prefetch_buffer_header (p2, LOAD);
723 vlib_prefetch_buffer_header (p3, LOAD);
725 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
726 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
729 /* speculatively enqueue b0 and b1 to the current next frame */
730 to_next[0] = bi0 = from[0];
731 to_next[1] = bi1 = from[1];
737 b0 = vlib_get_buffer (vm, bi0);
738 b1 = vlib_get_buffer (vm, bi1);
740 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
741 vnet_buffer (b0)->snat.flags = 0;
742 ip0 = vlib_buffer_get_current (b0);
744 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
746 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
749 if (PREDICT_FALSE (ip0->ttl == 1))
751 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
752 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
753 ICMP4_time_exceeded_ttl_exceeded_in_transit,
755 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
759 udp0 = ip4_next_header (ip0);
760 tcp0 = (tcp_header_t *) udp0;
761 icmp0 = (icmp46_header_t *) udp0;
762 proto0 = ip_proto_to_snat_proto (ip0->protocol);
766 if (PREDICT_FALSE (proto0 == ~0))
769 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
770 thread_index, now, vm,
772 if (!sm->forwarding_enabled)
775 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
780 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
782 next0 = icmp_out2in_ed_slow_path
783 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
784 next0, now, thread_index, &s0);
790 if (PREDICT_FALSE (proto0 == ~0))
792 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
796 if (ip4_is_fragment (ip0))
798 next0 = NAT44_ED_OUT2IN_NEXT_REASS;
802 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
804 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
809 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
810 ip0->protocol, rx_fib_index0, udp0->dst_port,
813 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
817 /* Try to match static mapping by external address and port,
818 destination address and port in packet */
819 e_key0.addr = ip0->dst_address;
820 e_key0.port = udp0->dst_port;
821 e_key0.protocol = proto0;
822 e_key0.fib_index = rx_fib_index0;
823 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
824 &twice_nat0, &lb_nat0,
828 * Send DHCP packets to the ipv4 stack, or we won't
829 * be able to use dhcp client on the outside interface
831 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
832 && (udp0->dst_port ==
834 (UDP_DST_PORT_dhcp_to_client))))
836 vnet_feature_next (&next0, b0);
840 if (!sm->forwarding_enabled)
843 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
844 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
848 if (next_src_nat (sm, ip0, ip0->protocol,
849 udp0->src_port, udp0->dst_port,
850 thread_index, rx_fib_index0))
852 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
855 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
861 /* Create session initiated by host from external network */
862 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
870 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
876 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
882 s0 = pool_elt_at_index (tsm->sessions, value0.value);
885 old_addr0 = ip0->dst_address.as_u32;
886 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
887 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
889 sum0 = ip0->checksum;
890 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
892 if (PREDICT_FALSE (is_twice_nat_session (s0)))
893 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
894 s0->ext_host_nat_addr.as_u32, ip4_header_t,
896 ip0->checksum = ip_csum_fold (sum0);
898 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
900 old_port0 = tcp0->dst_port;
901 new_port0 = tcp0->dst_port = s0->in2out.port;
903 sum0 = tcp0->checksum;
904 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
906 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
908 if (is_twice_nat_session (s0))
910 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
911 s0->ext_host_nat_addr.as_u32,
912 ip4_header_t, dst_address);
913 sum0 = ip_csum_update (sum0, tcp0->src_port,
914 s0->ext_host_nat_port, ip4_header_t,
916 tcp0->src_port = s0->ext_host_nat_port;
917 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
919 tcp0->checksum = ip_csum_fold (sum0);
920 if (nat44_set_tcp_session_state_o2i
921 (sm, s0, tcp0, thread_index))
926 udp0->dst_port = s0->in2out.port;
927 if (is_twice_nat_session (s0))
929 udp0->src_port = s0->ext_host_nat_port;
930 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
936 nat44_session_update_counters (s0, now,
937 vlib_buffer_length_in_chain (vm,
941 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
942 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
944 nat44_ed_out2in_trace_t *t =
945 vlib_add_trace (vm, node, b0, sizeof (*t));
946 t->is_slow_path = is_slow_path;
947 t->sw_if_index = sw_if_index0;
948 t->next_index = next0;
949 t->session_index = ~0;
951 t->session_index = s0 - tsm->sessions;
954 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
956 next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
957 vnet_buffer (b1)->snat.flags = 0;
958 ip1 = vlib_buffer_get_current (b1);
960 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
962 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
965 if (PREDICT_FALSE (ip1->ttl == 1))
967 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
968 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
969 ICMP4_time_exceeded_ttl_exceeded_in_transit,
971 next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
975 udp1 = ip4_next_header (ip1);
976 tcp1 = (tcp_header_t *) udp1;
977 icmp1 = (icmp46_header_t *) udp1;
978 proto1 = ip_proto_to_snat_proto (ip1->protocol);
982 if (PREDICT_FALSE (proto1 == ~0))
985 nat44_ed_out2in_unknown_proto (sm, b1, ip1, rx_fib_index1,
986 thread_index, now, vm,
988 if (!sm->forwarding_enabled)
991 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
996 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
998 next1 = icmp_out2in_ed_slow_path
999 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1000 next1, now, thread_index, &s1);
1006 if (PREDICT_FALSE (proto1 == ~0))
1008 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1012 if (ip4_is_fragment (ip1))
1014 next1 = NAT44_ED_OUT2IN_NEXT_REASS;
1018 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1020 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1025 make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address,
1026 ip1->protocol, rx_fib_index1, udp1->dst_port,
1029 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1))
1033 /* Try to match static mapping by external address and port,
1034 destination address and port in packet */
1035 e_key1.addr = ip1->dst_address;
1036 e_key1.port = udp1->dst_port;
1037 e_key1.protocol = proto1;
1038 e_key1.fib_index = rx_fib_index1;
1039 if (snat_static_mapping_match (sm, e_key1, &l_key1, 1, 0,
1040 &twice_nat1, &lb_nat1,
1044 * Send DHCP packets to the ipv4 stack, or we won't
1045 * be able to use dhcp client on the outside interface
1047 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1048 && (udp1->dst_port ==
1049 clib_host_to_net_u16
1050 (UDP_DST_PORT_dhcp_to_client))))
1052 vnet_feature_next (&next1, b1);
1056 if (!sm->forwarding_enabled)
1059 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1060 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1064 if (next_src_nat (sm, ip1, ip1->protocol,
1065 udp1->src_port, udp1->dst_port,
1066 thread_index, rx_fib_index1))
1068 next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1071 create_bypass_for_fwd (sm, ip1, rx_fib_index1,
1077 /* Create session initiated by host from external network */
1078 s1 = create_session_for_static_mapping_ed (sm, b1, l_key1,
1086 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1092 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1098 s1 = pool_elt_at_index (tsm->sessions, value1.value);
1101 old_addr1 = ip1->dst_address.as_u32;
1102 new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32;
1103 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1105 sum1 = ip1->checksum;
1106 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1108 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1109 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1110 s1->ext_host_nat_addr.as_u32, ip4_header_t,
1112 ip1->checksum = ip_csum_fold (sum1);
1114 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
1116 old_port1 = tcp1->dst_port;
1117 new_port1 = tcp1->dst_port = s1->in2out.port;
1119 sum1 = tcp1->checksum;
1120 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1122 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
1124 if (is_twice_nat_session (s1))
1126 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1127 s1->ext_host_nat_addr.as_u32,
1128 ip4_header_t, dst_address);
1129 sum1 = ip_csum_update (sum1, tcp1->src_port,
1130 s1->ext_host_nat_port, ip4_header_t,
1132 tcp1->src_port = s1->ext_host_nat_port;
1133 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1135 tcp1->checksum = ip_csum_fold (sum1);
1136 if (nat44_set_tcp_session_state_o2i
1137 (sm, s1, tcp1, thread_index))
1142 udp1->dst_port = s1->in2out.port;
1143 if (is_twice_nat_session (s1))
1145 udp1->src_port = s1->ext_host_nat_port;
1146 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1152 nat44_session_update_counters (s1, now,
1153 vlib_buffer_length_in_chain (vm,
1157 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1158 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1160 nat44_ed_out2in_trace_t *t =
1161 vlib_add_trace (vm, node, b1, sizeof (*t));
1162 t->is_slow_path = is_slow_path;
1163 t->sw_if_index = sw_if_index1;
1164 t->next_index = next1;
1165 t->session_index = ~0;
1167 t->session_index = s1 - tsm->sessions;
1170 pkts_processed += next1 != NAT44_ED_OUT2IN_NEXT_DROP;
1172 /* verify speculative enqueues, maybe switch current next frame */
1173 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1174 to_next, n_left_to_next,
1175 bi0, bi1, next0, next1);
1178 while (n_left_from > 0 && n_left_to_next > 0)
1182 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
1184 u16 old_port0, new_port0;
1188 icmp46_header_t *icmp0;
1189 snat_session_t *s0 = 0;
1190 clib_bihash_kv_16_8_t kv0, value0;
1192 snat_session_key_t e_key0, l_key0;
1193 lb_nat_type_t lb_nat0;
1194 twice_nat_type_t twice_nat0;
1196 /* speculatively enqueue b0 to the current next frame */
1202 n_left_to_next -= 1;
1204 b0 = vlib_get_buffer (vm, bi0);
1205 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1206 vnet_buffer (b0)->snat.flags = 0;
1207 ip0 = vlib_buffer_get_current (b0);
1209 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1211 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1214 if (PREDICT_FALSE (ip0->ttl == 1))
1216 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1217 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1218 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1220 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
1224 udp0 = ip4_next_header (ip0);
1225 tcp0 = (tcp_header_t *) udp0;
1226 icmp0 = (icmp46_header_t *) udp0;
1227 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1231 if (PREDICT_FALSE (proto0 == ~0))
1234 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
1235 thread_index, now, vm,
1237 if (!sm->forwarding_enabled)
1240 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1245 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1247 next0 = icmp_out2in_ed_slow_path
1248 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1249 next0, now, thread_index, &s0);
1255 if (PREDICT_FALSE (proto0 == ~0))
1257 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1261 if (ip4_is_fragment (ip0))
1263 next0 = NAT44_ED_OUT2IN_NEXT_REASS;
1267 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1269 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1274 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
1275 ip0->protocol, rx_fib_index0, udp0->dst_port,
1278 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
1282 /* Try to match static mapping by external address and port,
1283 destination address and port in packet */
1284 e_key0.addr = ip0->dst_address;
1285 e_key0.port = udp0->dst_port;
1286 e_key0.protocol = proto0;
1287 e_key0.fib_index = rx_fib_index0;
1288 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1289 &twice_nat0, &lb_nat0,
1293 * Send DHCP packets to the ipv4 stack, or we won't
1294 * be able to use dhcp client on the outside interface
1296 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1297 && (udp0->dst_port ==
1298 clib_host_to_net_u16
1299 (UDP_DST_PORT_dhcp_to_client))))
1301 vnet_feature_next (&next0, b0);
1305 if (!sm->forwarding_enabled)
1308 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1309 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1313 if (next_src_nat (sm, ip0, ip0->protocol,
1314 udp0->src_port, udp0->dst_port,
1315 thread_index, rx_fib_index0))
1317 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1320 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
1326 /* Create session initiated by host from external network */
1327 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1335 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1341 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1347 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1350 old_addr0 = ip0->dst_address.as_u32;
1351 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
1352 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1354 sum0 = ip0->checksum;
1355 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1357 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1358 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1359 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1361 ip0->checksum = ip_csum_fold (sum0);
1363 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1365 old_port0 = tcp0->dst_port;
1366 new_port0 = tcp0->dst_port = s0->in2out.port;
1368 sum0 = tcp0->checksum;
1369 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1371 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1373 if (is_twice_nat_session (s0))
1375 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1376 s0->ext_host_nat_addr.as_u32,
1377 ip4_header_t, dst_address);
1378 sum0 = ip_csum_update (sum0, tcp0->src_port,
1379 s0->ext_host_nat_port, ip4_header_t,
1381 tcp0->src_port = s0->ext_host_nat_port;
1382 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1384 tcp0->checksum = ip_csum_fold (sum0);
1385 if (nat44_set_tcp_session_state_o2i
1386 (sm, s0, tcp0, thread_index))
1391 udp0->dst_port = s0->in2out.port;
1392 if (is_twice_nat_session (s0))
1394 udp0->src_port = s0->ext_host_nat_port;
1395 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1401 nat44_session_update_counters (s0, now,
1402 vlib_buffer_length_in_chain (vm,
1406 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1407 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1409 nat44_ed_out2in_trace_t *t =
1410 vlib_add_trace (vm, node, b0, sizeof (*t));
1411 t->is_slow_path = is_slow_path;
1412 t->sw_if_index = sw_if_index0;
1413 t->next_index = next0;
1414 t->session_index = ~0;
1416 t->session_index = s0 - tsm->sessions;
1419 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
1420 /* verify speculative enqueue, maybe switch current next frame */
1421 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1422 to_next, n_left_to_next,
1426 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1429 vlib_node_increment_counter (vm, stats_node_index,
1430 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1432 return frame->n_vectors;
1436 nat44_ed_out2in_fast_path_fn (vlib_main_t * vm,
1437 vlib_node_runtime_t * node,
1438 vlib_frame_t * frame)
1440 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0);
1444 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
1445 .function = nat44_ed_out2in_fast_path_fn,
1446 .name = "nat44-ed-out2in",
1447 .vector_size = sizeof (u32),
1448 .format_trace = format_nat44_ed_out2in_trace,
1449 .type = VLIB_NODE_TYPE_INTERNAL,
1450 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1451 .error_strings = nat_out2in_ed_error_strings,
1452 .runtime_data_bytes = sizeof (snat_runtime_t),
1453 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1455 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1456 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1457 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1458 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1459 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1460 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1465 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_node,
1466 nat44_ed_out2in_fast_path_fn);
1469 nat44_ed_out2in_slow_path_fn (vlib_main_t * vm,
1470 vlib_node_runtime_t * node,
1471 vlib_frame_t * frame)
1473 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1);
1477 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
1478 .function = nat44_ed_out2in_slow_path_fn,
1479 .name = "nat44-ed-out2in-slowpath",
1480 .vector_size = sizeof (u32),
1481 .format_trace = format_nat44_ed_out2in_trace,
1482 .type = VLIB_NODE_TYPE_INTERNAL,
1483 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1484 .error_strings = nat_out2in_ed_error_strings,
1485 .runtime_data_bytes = sizeof (snat_runtime_t),
1486 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1488 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1489 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1490 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1491 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1492 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1493 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1498 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_slowpath_node,
1499 nat44_ed_out2in_slow_path_fn);
1502 nat44_ed_out2in_reass_node_fn (vlib_main_t * vm,
1503 vlib_node_runtime_t * node,
1504 vlib_frame_t * frame)
1506 u32 n_left_from, *from, *to_next;
1507 nat44_ed_out2in_next_t next_index;
1508 u32 pkts_processed = 0;
1509 snat_main_t *sm = &snat_main;
1510 f64 now = vlib_time_now (vm);
1511 u32 thread_index = vm->thread_index;
1512 snat_main_per_thread_data_t *per_thread_data =
1513 &sm->per_thread_data[thread_index];
1514 u32 *fragments_to_drop = 0;
1515 u32 *fragments_to_loopback = 0;
1517 from = vlib_frame_vector_args (frame);
1518 n_left_from = frame->n_vectors;
1519 next_index = node->cached_next_index;
1521 while (n_left_from > 0)
1525 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1527 while (n_left_from > 0 && n_left_to_next > 0)
1529 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1534 nat_reass_ip4_t *reass0;
1537 icmp46_header_t *icmp0;
1538 clib_bihash_kv_16_8_t kv0, value0;
1539 snat_session_t *s0 = 0;
1540 u16 old_port0, new_port0;
1542 snat_session_key_t e_key0, l_key0;
1544 twice_nat_type_t twice_nat0;
1546 /* speculatively enqueue b0 to the current next frame */
1552 n_left_to_next -= 1;
1554 b0 = vlib_get_buffer (vm, bi0);
1555 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1557 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1559 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1562 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
1564 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1565 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT];
1569 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1570 udp0 = ip4_next_header (ip0);
1571 tcp0 = (tcp_header_t *) udp0;
1572 icmp0 = (icmp46_header_t *) udp0;
1573 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1575 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1579 1, &fragments_to_drop);
1581 if (PREDICT_FALSE (!reass0))
1583 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1584 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_REASS];
1585 nat_log_notice ("maximum reassemblies exceeded");
1589 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1591 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1593 next0 = icmp_out2in_ed_slow_path
1594 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1595 next0, now, thread_index, &s0);
1597 if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP))
1600 reass0->sess_index = s0 - per_thread_data->sessions;
1602 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1603 reass0->thread_index = thread_index;
1604 nat_ip4_reass_get_frags (reass0,
1605 &fragments_to_loopback);
1611 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
1612 ip0->protocol, rx_fib_index0, udp0->dst_port,
1615 if (clib_bihash_search_16_8
1616 (&per_thread_data->out2in_ed, &kv0, &value0))
1618 /* Try to match static mapping by external address and port,
1619 destination address and port in packet */
1620 e_key0.addr = ip0->dst_address;
1621 e_key0.port = udp0->dst_port;
1622 e_key0.protocol = proto0;
1623 e_key0.fib_index = rx_fib_index0;
1624 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1625 &twice_nat0, &lb0, 0))
1628 * Send DHCP packets to the ipv4 stack, or we won't
1629 * be able to use dhcp client on the outside interface
1631 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1634 clib_host_to_net_u16
1635 (UDP_DST_PORT_dhcp_to_client))))
1637 vnet_feature_next (&next0, b0);
1641 if (!sm->forwarding_enabled)
1644 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1645 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1649 if (next_src_nat (sm, ip0, ip0->protocol,
1650 udp0->src_port, udp0->dst_port,
1651 thread_index, rx_fib_index0))
1653 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1656 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
1658 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1659 nat_ip4_reass_get_frags (reass0,
1660 &fragments_to_loopback);
1665 /* Create session initiated by host from external network */
1666 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1674 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1675 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1678 reass0->sess_index = s0 - per_thread_data->sessions;
1679 reass0->thread_index = thread_index;
1683 s0 = pool_elt_at_index (per_thread_data->sessions,
1685 reass0->sess_index = value0.value;
1687 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1691 if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
1693 if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
1695 if (nat_ip4_reass_add_fragment
1696 (reass0, bi0, &fragments_to_drop))
1698 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_FRAG];
1700 ("maximum fragments per reassembly exceeded");
1701 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1707 s0 = pool_elt_at_index (per_thread_data->sessions,
1708 reass0->sess_index);
1711 old_addr0 = ip0->dst_address.as_u32;
1712 ip0->dst_address = s0->in2out.addr;
1713 new_addr0 = ip0->dst_address.as_u32;
1714 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1716 sum0 = ip0->checksum;
1717 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1719 dst_address /* changed member */ );
1720 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1721 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1722 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1724 ip0->checksum = ip_csum_fold (sum0);
1726 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1728 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1730 old_port0 = tcp0->dst_port;
1731 tcp0->dst_port = s0->in2out.port;
1732 new_port0 = tcp0->dst_port;
1734 sum0 = tcp0->checksum;
1735 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1737 dst_address /* changed member */ );
1739 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1740 ip4_header_t /* cheat */ ,
1741 length /* changed member */ );
1742 if (is_twice_nat_session (s0))
1744 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1745 s0->ext_host_nat_addr.as_u32,
1746 ip4_header_t, dst_address);
1747 sum0 = ip_csum_update (sum0, tcp0->src_port,
1748 s0->ext_host_nat_port,
1749 ip4_header_t, length);
1750 tcp0->src_port = s0->ext_host_nat_port;
1751 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1753 tcp0->checksum = ip_csum_fold (sum0);
1757 old_port0 = udp0->dst_port;
1758 udp0->dst_port = s0->in2out.port;
1759 if (is_twice_nat_session (s0))
1761 udp0->src_port = s0->ext_host_nat_port;
1762 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1769 nat44_session_update_counters (s0, now,
1770 vlib_buffer_length_in_chain (vm,
1774 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1775 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1777 nat44_reass_trace_t *t =
1778 vlib_add_trace (vm, node, b0, sizeof (*t));
1779 t->cached = cached0;
1780 t->sw_if_index = sw_if_index0;
1781 t->next_index = next0;
1791 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
1793 /* verify speculative enqueue, maybe switch current next frame */
1794 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1795 to_next, n_left_to_next,
1799 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1801 from = vlib_frame_vector_args (frame);
1802 u32 len = vec_len (fragments_to_loopback);
1803 if (len <= VLIB_FRAME_SIZE)
1805 clib_memcpy (from, fragments_to_loopback,
1806 sizeof (u32) * len);
1808 vec_reset_length (fragments_to_loopback);
1813 fragments_to_loopback + (len -
1815 sizeof (u32) * VLIB_FRAME_SIZE);
1816 n_left_from = VLIB_FRAME_SIZE;
1817 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1822 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1825 vlib_node_increment_counter (vm, nat44_ed_out2in_reass_node.index,
1826 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1829 nat_send_all_to_node (vm, fragments_to_drop, node,
1830 &node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT],
1831 NAT44_ED_OUT2IN_NEXT_DROP);
1833 vec_free (fragments_to_drop);
1834 vec_free (fragments_to_loopback);
1835 return frame->n_vectors;
1839 VLIB_REGISTER_NODE (nat44_ed_out2in_reass_node) = {
1840 .function = nat44_ed_out2in_reass_node_fn,
1841 .name = "nat44-ed-out2in-reass",
1842 .vector_size = sizeof (u32),
1843 .format_trace = format_nat44_reass_trace,
1844 .type = VLIB_NODE_TYPE_INTERNAL,
1845 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1846 .error_strings = nat_out2in_ed_error_strings,
1847 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1849 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1850 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1851 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1852 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1853 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1854 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1859 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_reass_node,
1860 nat44_ed_out2in_reass_node_fn);
1863 * fd.io coding-style-patch-verification: ON
1866 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob